An intrusion is when an unauthorized user (e.g., a “hacker,” etc.) attempts to break into or misuse (e.g., steal confidential data, etc.) a computer system. An intrusion-detection system (IDS) monitors messages (e.g., packets, etc.) incoming to a computer system and outgoing from the computer system, and based on these messages tries to determine whether an intrusion is being attempted. An intrusion-detection system might conclude that an intrusion attempt is in progress when an atypical or suspicious sequence of messages occurs, or when a sequence of messages matches a known attack signature.
FIG. 1 depicts a schematic diagram of telecommunications system 100 in accordance with the prior art. As shown in FIG. 1, telecommunications system 100 comprises internal network 101 (e.g., a corporate metropolitan-area network, a residential local-area network, etc.), which receives messages via an external network (e.g., the Internet, etc.) and sends messages via the external network to external data-processing systems.
FIG. 2 depicts a schematic diagram of the elements of internal network 101, in accordance with the prior art. As shown in FIG. 2, internal network 101 comprises: intrusion-detection system (IDS) 220, firewall 215, and computer systems 204-1 through 204-N, where N is a positive integer, interconnected as shown.
Each computer system 204-n, where nε1, 2, . . . , N, might be a personal computer, a server, a laptop computer, a personal digital assistant (PDA) with wireless local-area network communication capability, etc.
An incoming message that is directed to computer system 204-n, where nε1, 2, . . . , N, first passes through firewall 215, which inspects the message and decides whether to block the message from reaching its destination or to let the message through based on rules in a rule set. Examples of rules include: block all messages from domain badguys.com; block all messages except those of a certain protocol type; etc.
If firewall 215 lets the incoming message through, then intrusion-detection system (IDS) 220 subsequently receives the message and inspects it. Intrusion-detection system (IDS) 220 provides an additional layer of security by detecting intrusion attempts that comprise one or more messages that are allowed through firewall 215. For example, firewall 215 might restrict external access to a web server in internal network 101 to port 80, but without an intrusion-detection system, it might be possible to attack the web server itself via legitimate traffic through port 80 due to bugs in the web server software (e.g., ColdFusion, Apache, etc.). As an analogy, firewall 215 acts as a “fence” around internal network 101. A fence provides security but does not have the ability to detect when someone is trying to break in (e.g., by digging an underground tunnel, etc.). Intrusion-detection system (IDS) 220 typically can recognize some break-in attempts that firewall 215 cannot detect, and therefore it is advantageous to deploy intrusion-detection system (IDS) 220 in addition to firewall 215 for added security.
When intrusion-detection system (IDS) 220 relies on an attack signature database, it is essential to keep the database up-to-date. In particular, over time malicious users often discover new techniques to exploit vulnerabilities and attack systems, and in response security experts formulate new attack signatures to guard against these techniques. As in the case of antivirus software, the owner of intrusion-detection system (IDS) 220 typically has two options to ensure that the attack signature database is regularly updated with new attack signatures: either subscribe to an automated update service provided by the vendor of intrusion-detection system (IDS) 220, or manually check for new attack signatures and retrieve and install them. In either case, the efficacy of intrusion-detection system (IDS) 220 depends on the owner's diligence—in the former option, the owner must periodically pay subscription fees in a timely fashion, and in the latter option, the owner must check for new updates with great frequency—as well as some combination of time, effort, and money.
Voice over Internet Protocol (VoIP) systems transmit voice traffic over packet-switched Internet Protocol (IP) data networks in lieu of circuit-switched telephony networks (e.g., the Public Switched Telephone Network, etc.). Typically, Voice over Internet Protocol systems are based one of two main protocols: H323 and Session Initiation Protocol (SIP). In both types of systems, VoIP user agents at the calling and called telecommunications terminals (e.g., hardphones, softphones, etc.) send and receive packets that contain encoded voice signals in accordance with the Real-time Transport Protocol (RTP). In addition, a VoIP gateway might employ a media management protocol such as the Media Gateway Control Protocol (MGCP) or MEGACO/H.248 in order to translate traffic transparently between an IP-based network and a non-IP-based network (e.g., between a PSTN phone and an IP phone, etc.).
A key benefit of VoIP is that it enables the convergence of voice and data networks. By migrating voice traffic to data networks, however, the voice network becomes vulnerable to intrusions and other attacks (e.g., denial-of-service attacks, authentication attacks, etc.) that compromise privacy, quality of service, and accurate billing. Moreover, due to characteristics of Voice over Internet Protocol systems, some intrusion-detection systems of the prior art provide inadequate security against intrusions that employ VoIP packets (i.e., VoIP-based intrusions).